Active Directory and .NET

[clamum]

I need to take a username and a domain and see if the user exists in the Active Directory directory for that domain.

I can do this fine if I use the DirectoryEntry constructor that expects a domain, username, and password, but the way the application will be setup means I will not have a password. To be more specific, this is a web application and the username is passed in the URL string. The application then grabs that username and performs Active Directory authentication to see if the user exists, and if so, logs him/her into the web application.

So I am wondering if there is a way to do this with just a domain and username. I don't wish to update any Active Directory structure or information, I just simple want to check if username xxx exists in domain yyy.

So far I'm having no luck. 🙁 Any help would be great.

 

[WannaFly]

some old code i have that will do what you are asking:

Public Function GetUserInfo(ByVal UserName As String) As DataSet
'returns info for a specific user
Dim search As DirectorySearcher = New DirectorySearcher(_path)
search.Filter = "(SAMAccountName=" + UserName + ")"
search.PropertiesToLoad.Add("sAMAccountName")
search.PropertiesToLoad.Add("displayName")
Dim dsUsers As DataSet
Try
Dim results As SearchResultCollection = search.FindAll

'convert result collection into dataset

dsUsers = InitializeUserDataset()
Dim r As SearchResult
For Each r In results
Dim dr As DataRow
dr = dsUsers.Tables("Users").NewRow
If Not r.Properties("displayName") Is Nothing Then 'must have display name
dr("DisplayName") = r.Properties("displayName")(0)
If Not r.Properties("sAMAccountName") Is Nothing Then 'must have account name
dr("UserName") = r.Properties("sAMAccountName")(0)
dsUsers.Tables("Users").Rows.Add(dr)
End If
End If
Next
Catch ex As Exception
Throw New Exception(("Error obtaining users" + ex.Message))
End Try
Return dsUsers
End Function

 

[Gunslinger08]

You need a valid AD login to get into AD and search for the user. Pass that into the DirectoryEntry consturctor.

 

[clamum]

Yeah with your code WannaFly I get the same exception I was getting before: "The specified domain either does not exist or could not be contacted".

It makes sense that you need a password to even query Active Directory but the specs for the web app I'm working on make no mention of a password. They just want to grab the username in the URL string and validate it against AD for authentication into the application. No password is sent along with it which it looks like it will need to be done.

 

[Gunslinger08]

Originally posted by: clamum
Yeah with your code WannaFly I get the same exception I was getting before: "The specified domain either does not exist or could not be contacted".

It makes sense that you need a password to even query Active Directory but the specs for the web app I'm working on make no mention of a password. They just want to grab the username in the URL string and validate it against AD for authentication into the application. No password is sent along with it which it looks like it will need to be done.

You need a service account that you use to create the DirectoryEntry. It will need read access for the OU you're trying to find the user in. There is no way around this.

 

[Gunslinger08]

Why bother having passwords if you're going to log people in without needing to know them? Just make it the standard "Password!" for everyone and stop worrying about it.

 

[clamum]

<div class="FTQUOTE"><begin quote>Originally posted by: joshsquall
Why bother having passwords if you're going to log people in without needing to know them? Just make it the standard "Password!" for everyone and stop worrying about it.</end quote></div>
Well this app is for a different company, I'm just working on it according to their specs. They want it to make login as seemless as possible. The people using the application will have accounts in an Active Directory server so some other program sticks the username at the end of the URL and this program grabs it and attempts to authenticate with Active Directory. If that fails, it checks against a local SQL database with usernames and passwords as a secondary means of login.

But, the person using the app might not be on the same domain where Active Directory is located so there is an option for the administrator of the web app to put in a domain and workgroups for Active Directory. So it looks like in addition to the username I'll need a password. The original line of thought was to just see if that username was in Active Directory and if it was in one of several workgroups.

 

[KB]

Is this Application Internal or External to their network?

If internal have them set it up to use NT Authentication in IIS/.Net. You can then get the username and access groups using the User object.

If external, then this is a very poor method of security. Please give me the URL so I can hack it easily and make some money.


What is your ADPath that you pass to the searcher? It should be something like
LDAP://DC=<yourdomain>,DC=<yourtopdomain>
LDAP://DC=Contoso,DC=com

 

[clamum]

Originally posted by: KB
Is this Application Internal or External to their network?

If internal have them set it up to use NT Authentication in IIS/.Net. You can then get the username and access groups using the User object.

If external, then this is a very poor method of security. Please give me the URL so I can hack it easily and make some money.


What is your ADPath that you pass to the searcher? It should be something like
LDAP://DC=<yourdomain>,DC=<yourtopdomain>
LDAP://DC=Contoso,DC=com

This is internal... hehe. Yeah I think we got it nailed down what to do next, it's more of something they need to do on their end.

As for the path, yes, it was LDAP://DC=<domain>,DC=<topdomain>.